In many network setups, endpoint devices are monitored by different sensors, for example, antivirus or intrusion prevention systems. Typically, these sensors log activity to a log file or database on a server, such as a McAfee ePolicy Orchestrator (McAfee ePO) server or a security information and event management (SIEM) product, such as HP Arcsight® (ARC SIGHT is a registered trademark of HP) or NitroSecurity (NITROSECURITY is a trademark of McAfee). For simplicity, this discussion groups any activity recording at a centralized server whether to a database, memory store, or flat file, as a “log entry”. Under normal conditions, endpoints (a computer existing on the monitored network) produce a “normal” set of log entries where the entries and the rate of entries occur with relatively similar frequency as other end points. However, when an unusual activity occurs, log entries differ and rate of log entries will vary from other “normal” end point activity.
As an example, a typical kill-chain in a web based attack, such as Conficker, will prompt a user to select a hyper link, that vectors to a hidden iFrame containing script for an RPC request to an infected server. The request will spray the heap with shellcode and cause a buffer overflow in the target (victim) endpoint. The shellcode then generates an HTTP “get request” to download an infected application file and makes registry changes allowing it to execute as a service. In a lateral attack, an intruder is attempting to infiltrate other endpoints on the network. One computer, infected with a remote access Trojan (RAT) variant, will attempt to infect shared files or harvest credentials from other endpoints. At some point, the attacker will begin exfiltration of data. In both these scenarios, sensors will note more activity. VSE may report a buffer overflow. GTI may report traffic to a malicious or unknown server. Failed credentials, network traffic on unusual ports or to unknown IPs, execution of files from the \tmp directory, and other facets of an attack are all garnered by the disparate systems constituting a corporate security defense. Discrete components, for example VSE or NSP, see and log components of the attack. But, currently, the aggregate view is missing. However, the data exists for mining in the collection of logs in EPO or STEM.